git: f64a688dfda9 - main - Remove gratuitous copyouts of unchanged struct mac.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 13 Nov 2023 21:33:11 UTC
The branch main has been updated by brooks: URL: https://cgit.FreeBSD.org/src/commit/?id=f64a688dfda9d664c03ba67dab27dd6c7e10784d commit f64a688dfda9d664c03ba67dab27dd6c7e10784d Author: Brooks Davis <brooks@FreeBSD.org> AuthorDate: 2023-11-13 21:32:15 +0000 Commit: Brooks Davis <brooks@FreeBSD.org> CommitDate: 2023-11-13 21:32:15 +0000 Remove gratuitous copyouts of unchanged struct mac. The get operations change the data pointed to by the structure, but do not update the contents of the struct. Mark the struct mac arguments of mac_[gs]etsockopt_*label() and mac_check_structmac_consistent() const to prevent this from changing in the future. Reviewed by: markj MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D14488 --- sys/kern/uipc_socket.c | 4 ++-- sys/security/mac/mac_framework.c | 3 +-- sys/security/mac/mac_framework.h | 6 +++--- sys/security/mac/mac_internal.h | 2 +- sys/security/mac/mac_socket.c | 8 +++++--- 5 files changed, 12 insertions(+), 11 deletions(-) diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 880dec89245b..0ddcf0409cb0 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -3442,7 +3442,7 @@ integer: so, &extmac); if (error) goto bad; - error = sooptcopyout(sopt, &extmac, sizeof extmac); + /* Don't copy out extmac, it is unchanged. */ #else error = EOPNOTSUPP; #endif @@ -3458,7 +3458,7 @@ integer: sopt->sopt_td->td_ucred, so, &extmac); if (error) goto bad; - error = sooptcopyout(sopt, &extmac, sizeof extmac); + /* Don't copy out extmac, it is unchanged. */ #else error = EOPNOTSUPP; #endif diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 8f1aa37d45b3..682f05c6979f 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -725,9 +725,8 @@ mac_error_select(int error1, int error2) } int -mac_check_structmac_consistent(struct mac *mac) +mac_check_structmac_consistent(const struct mac *mac) { - /* Require that labels have a non-zero length. */ if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN || mac->m_buflen <= sizeof("")) diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 644028bde478..c69b9cd64454 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -408,11 +408,11 @@ void mac_socket_destroy(struct socket *); int mac_socket_init(struct socket *, int); void mac_socket_newconn(struct socket *oldso, struct socket *newso); int mac_getsockopt_label(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); int mac_setsockopt_label(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); void mac_socketpeer_set_from_socket(struct socket *oldso, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index d1ee1af09c0b..aa407598600a 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -210,7 +210,7 @@ void mac_labelzone_init(void); void mac_init_label(struct label *label); void mac_destroy_label(struct label *label); -int mac_check_structmac_consistent(struct mac *mac); +int mac_check_structmac_consistent(const struct mac *mac); int mac_allocate_slot(void); /* diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index be1363024657..e9f94404734a 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -521,7 +521,8 @@ mac_socket_label_set(struct ucred *cred, struct socket *so, } int -mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) +mac_setsockopt_label(struct ucred *cred, struct socket *so, + const struct mac *mac) { struct label *intlabel; char *buffer; @@ -554,7 +555,8 @@ out: } int -mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) +mac_getsockopt_label(struct ucred *cred, struct socket *so, + const struct mac *mac) { char *buffer, *elements; struct label *intlabel; @@ -593,7 +595,7 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, - struct mac *mac) + const struct mac *mac) { char *elements, *buffer; struct label *intlabel;